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Abstract 

A number of authentication protocols have been proposed recently, 
where at least some part of the authentication is performed during a 
phase, lasting n rounds, with no error correction. This requires assigning 
an acceptable threshold for the number of detected errors. This paper de- 
scribes a framework enabling an expected loss analysis for all the protocols 
in this family. Furthermore, computationally simple methods to obtain 
nearly optimal value of the threshold, as well as for the number of rounds 
is suggested. Finally, a method to adaptively select both the number of 
rounds and the threshold is proposed. 

1 Introduction 

Traditionally [THIHZ] , authentication is assumed to be taking place on an error- 
free channel, and error analysis is performed separately from cryptographic anal- 
ysis of protocols. However, a number of authentication protocols have been pro- 
posed [HISllIlinilinillSlIISllISllIH], where at least some part of the authentication 
is performed during a challenge-response phase lasting n rounds with no error 
correction, due to a need to detect relay attacks by timing delays. The noise 
necessitates the use of a tolerance threshold r, such that a party is authenticated 
if the total error of its responses e is below the threshold r. 

This paper introduces a general framework for analysing such protocols. We 
assign a cost I a to the event that we authenticate a malicious party A — which 
we call the attacker — a cost (or loss) £jj to the event that we fail to authenticate 
a valid party U — which we call the user — and a cost £b for each round of the 
challenge-response phase. Our goal is to select n, r so as to minimise the expected 
loss E L. 

The paper is organised as follows. Section ll . 1 1 presents related work, while 
Section [2] introduces notation and thresholded authentication protocols. Sec- 
tion [3] contains the expected loss analysis under noise. In particular, Sec. 13.11 
suggests a method to calculate the threshold accompanied by a finite sample 
loss bound, while Sec. 13.21 provides a further bound by selecting an appropriate 
number of rounds. These results only require that the expected error of the 
attacker is higher than that of the user. Section [4] applies the above analysis 
to a number of currently used protocols. Section [5] suggests a high-probability 
method for estimating the channel noise and presents the results of simulation 
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experiments that compare our choice of threshold with thresholds derived using 
asymptotic approximations. Finally, Sec. |5] concludes the paper. For complete- 
ness, the appendix provides some useful auxilliary results regarding the finite 
sample and the asymptotic derivations. 

1.1 Related Work 

In certain authentication protocols part of the communication is performed 
in noisy channels without employing error correction. Specifically, a rapid- 
bit exchange phase was introduced in [5] to compute an upper bound on the 
distance of the prover V . This is composed of n challenge- response rounds, 
used to calculate a round-trip time and thus place a bound on the distance. 
Subsequently, a broad range of distance bounding protocols were proposed, both 
for RFID [aiiniHaHiaQS], as well as other wireless devices Q3H2D]- 

Hancke and Kuhn [7] were the first to indicate that since the rapid-bit ex- 
change phase is taking place in a noisy channel, challenges and responses may 
be corrupted. Thus, a legitimate user may fail to get authenticated. Their 
protocol (henceforth HaKu), employed n rounds and authenticated any prover 
who made a number of mistakes e less than an acceptance threshold r, so as to 
reduce the number of false rejections. Using the binomial distribution and an 
assumption on the error rates they give expressions for the false accept and false 
reject probability as a function of n and r, but they provide no further analysis. 
Nevertheless, they indicate that the number of challenge-response rounds n in 
the rapid bit exchange phase should be chosen according to the expected error 
rate. Kim et al. [10] extend this approach with the Swiss-Knife protocol by 
considering three types of errors. Finally |15j . rather than using a threshold 
r, proposed a protocol (henceforth ECMAD) using an error correcting code 
(ECC). ECMAD, which extends the MAD protocol Q15], uses only k of the n 
total rounds for the challenges and responses. The remaining n — k rounds are 
used to transmit the (n, k) ECC. This has the effect of achieving better security 
(in terms of false acceptance rates) with the same number of rounds n. 

All these approaches use n rounds in the noisy authentication phase. How- 
ever, they do not define the optimal n. They simply state that the probability 
of authenticating a user becomes much higher than the probability of authen- 
ticating an attacker as n increases. However, a large value of n is incompatible 
with the requirements of many applications and devices (i.e. high value of n 
leads to high overhead for resource-constrained devices) . This can be modelled 
by assigning an explicit cost to every round, which should take into account the 
transmission energy, computation and time overhead. This cost has so far not 
been explicitly taken into consideration. 

Another work that is closely related to ours is |14j . which, given a required 
false acceptance and false rejection rate, provides a lower bound on the number 
of required rounds. This analysis is performed for both HaKu and ECMAD. 
However, it assumes that the number of rounds n would be large enough for 
the binomial distribution of errors to be approximately normal. Our analysis 
is more general, since it uses finite-sample bounds that hold for any bounded 
error function. 

Recently, Baigneres et al. [T] have given an analysis on the related topic of 
distinguishing between a real and a fake solver of challenge-response puzzles. 
More precisely, they study CAPTCHA-like protocols and provide a threshold 
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which minimizes the probability of error in these protocols. The main differences 
between the analysis presented in this paper and [T] can be summarised below: 
(a) We perform an expected loss analysis rather than an error analysis, (b) Our 
bounds hold uniformly, while [T| uses an asymptotically optimal distinguishcr. 
(c) We consider bounded errors rather than {0, 1} errors for each challenge- 
response, (d) We additionally propose a method to estimate channel noise. 
This is of course not applicable in the context of [I], due to the different setting. 

A more general work on authentication under noisy conditions was presented 
in [llj . This provided tight information-theoretic upper and lower bounds on 
the attacker's success in impersonation and substitution attacks, proving that 
it decreased with noise. However, our analysis shows that, when one considers 
losses due to communication overhead and false rejections of users, the expected 
loss increases, which is a natural result. 

1.2 Our contribution 

In this paper, we perform a detailed expected loss analysis for a general class of 
multi-round authentication protocols in a noisy channel. The analysis is per- 
formed by assigning a loss £b to each round, and losses £a, £jj to false acceptance 
and false rejection respectively. 

We show how a nearly-optimal threshold f* for a given number of rounds n 
can be chosen and give worst-case bounds on the expected loss for that choice. 
Thus, the bounds hold no matter if the party that attempts to get authenti- 
cated is either a legitimate user U or an attacker A. This extends our previous 
work |12j . which proposed a new distance bounding protocol (Hitomi) and only 
calculated a value for the threshold r, without providing any bounds. 

We also show how a nearly-optimal number of rounds h* can be chosen and 
give further bounds on the expected loss. The bounds hold for any bounded error 
function, and not only for {0, 1} errorsQ Furthermore, they are valid for any n, 
since they are based on probability inequalities for a finite number of samples □ 
Thus, they are considerably more general to the bounds of [13] . 

Finally, we provide high-probability estimates for the current noise level in 
the channel by leveraging the coding performed in the initial and final phases 
of the protocol, which take place in a coded channel. This enables us to signifi- 
cantly weaken assumptions on knowledge of the noise level in the channel and 
in turn, provide an authentication algorithm which has low expected loss with 
high probability. 

2 Preliminaries 

We consider sequences x = xi,...,x n with all Xi in some alphabet X and 
x e X n . We write X* = U^Lo ^ or tne se * °f au sequences. We use = to 
indicate a definition. P(A) denotes the probability of event A, while E denotes 
expectations so that E(W | ^4) = J2 u en u ^'(-^ = u I A) denotes the conditional 
expectation of random variable X € f2 when A is true. The notation J-q will 
denote an appropriate er-field on il. Finally, I {A} is an indicator function equal 
to 1 when A is true and otherwise. 

1 In all previous proposals, there is either an error at each round, or there is not. 

2 The analysis in 1141 only holds for large n, so the approximation only holds asymptotically. 
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We consider shared secret challenge-response authentication protocols with 
multi-round exchanges. In such protocols, a verifier V grants access to a prover 
V, if the latter can demonstrate its identity I and possession of a shared secret 
s e X m . The protocol has three phases: (i) An initialisation phase, (ii) A 
rapid-bit exchange phase, lasting n rounds, (iii) A termination phase. A fre- 
quent assumption is that the authentication takes place in a noise-free channel. 
The extension to noisy channels is done by assuming the existence of an error 
correcting protocol. Thus, the error analysis is performed separately from the 
cryptographic analysis. Here we shall integrate the two aspects of the problem 
by performing an expected loss analysis of the authentication protocol directly 
on the noisy channel. We shall assume that the initialisation and termination 
phases are fixed (due to other security considerations) and focus on the rapid-bit 
exchange phase. 

Due to noise in the physical medium, in any exchange between V and P, the 
former may send a symbol x e X, while the latter may receive a symbol x € X 
such that x ^ x. We shall denote the probability of erroneous transmission 
in the data layer as: to = P(x ^ x), Vx,x e X. For simplicity, we shall only 
treat the case of symmetric channel noise such that: ¥(x = y \ x ^ x) = \ x *_ 1 , 
Vy ^ x, x,y e X . 

2.1 Thresholded protocols 

During multi-round challenge response authentication phase (e.g. the rapid-bit 
exchange phase in an RFID distance-bounding protocol) the verifier V sends n 
challenges Ci, . . . , c n , with Cfe € X, to the prover V, which responds by transmit- 
ting n responses n, . . . , r„, with r^ € X. We use c = (cfc)jj =1 , and r = (rfc)jj =1 to 
denote the complete challenge and response sequences respectively. The verifier 
V can calculate the correct responses R(ci) and so can calculate an error Si for 
the i-th round. While the legitimate user U should also be able to calculate the 
correct responses, due to noise, there may be errors in the received responses. 
On the other hand, the attacker has to resort to guessing, so the expected error 
of the attacker should be higher than that of the user. In order to trade off 
false acceptances with false rejections, we need a threshold value r, such that a 
prover is accepted if and only if the total error observed is smaller than r. More 
precisely, we define: 

Definition 1. An additive thresholded multi-round challenge-response authen- 
tication protocol has the following parameters: 

1. A natural number n > 0, equal to the number of challenge-response rounds. 

2. A threshold r > 0. 

3. An error function e = ^"=i ei > where Si € [0,1] represents the error of 
the i-th round. 

The verifier V rejects the prover (authenticator) V , if and only if e > r. 

The relation of e to the challenge and response strings c and r strongly 
depends on the protocol. In order to make our analysis generally applicable, we 
define pa < E(£j | A), a lower bound on the expected per- round error of the 
attacker and pu > E(ei | [/), an upper bound on the error of a legitimate user. 
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These bounds depend on the noise and on the protocol under consideration. We 
shall return to them in section |U 

3 Expected loss analysis 

We now specify our potential losses. For every round of the rapid-bit exchange 
phase, we suffer loss Is- In addition, we suffer a loss of I a for each false accep- 
tance and a loss £jj for false rejection^ Given that we perform n rounds, the 
total loss when the prover V is either the legitimate user U or the attacker A is 
given by: 

{n£ B +£u, if e > r and V = U 
u£b+£a, if s < t and V = A (1) 
ti£b, otherwise. 

Armed with this information, we can now embark upon an expected loss anal- 
ysis. We wish to devise an algorithm that guarantees an upper bound on the 
expected loss EL. To start with, we note that the expected loss when the 
communicating party is an attacker A or the user U, is given respectively by: 

E(L | A) = nl B + P(e < r | A) ■ t A + P(e > r | A) ■ (2) 
E(L | U) = n£ B + P(e < r | U) ■ + P(e > r | U) ■ £ v . (3) 

The expected loss is in either case bounded by the worst-case expected loss: 

L = max {E(L \ A), E(L \ U)} > E L (4) 

If we can find an expression that bounds both E(L \ A) and E(L \ U), we 
automatically obtain a bound on the expected loss, E L. 

The remainder of this section is organised as follows. Section l3~T1 shows how 
a nearly-optimal threshold f * for a given number of rounds n can be chosen 
and gives bounds on the expected loss for that choice. Section I3T21 shows how a 
nearly-optimal number of rounds n* can be chosen and gives further bounds. 

3.1 Choice of threshold 

We want to choose a threshold r such that no matter whether the prover V is 
the attacker A or the legitimate user U the expected loss E(L \ V) is as small 
as possible. The problem is that as we increase the threshold r, E(L | V = U) 
decreases, while E(L \ V — A) increases. The opposite is happening when 
we decrease the threshold t. Thus, to minimise the worst-case expected loss, 
we can choose a threshold r such that E(L \ V = A, t) = E(L \ V — U,t). A 
particular choice of the threshold r that minimises an upper bound on the worst- 
case expected loss is given in Theorem [TJ As an intermediate step, we obtain a 
bound on the worst-case expected loss for any given threshold r. Formally, we 
can show the following: 

3 These losses are subjectively set to application-dependent values. Clearly, for cases where 
falsely authenticating an attacker the impact is severe, I a must be much greater than Ijj . 
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Lemma 1. Let € [0, 1] be the error of the i-th round. If, for all i > 0, it holds 
that za = E(ej I A) > pa and zjj = E(ej | U) < pu, for some pa,Pu € [0, 1] 
such that npA < t < npu , then: 

£(n; t) = nl B + max |cxp ^— — ( n Pu — t) 2 ^J Ijj, exp ^— — (npA — t) 2 ^ ^ 

> max{E(X | A),E(L \ U)} > EL. (5) 
Proof. The expected loss when "P = A, is simply: 



E(X | A) = nl B + P ( 



Si < T 



A I A 



= nl B + P ( £i _ nZA < T ~ UZA 

< nl B + P ^2 £l ~ n ^ A <T ~ n PA 
<n£ B + e~^ npA ~ r *> 2 £ A , 



A J I A 
A) l A 



the last two steps used the fact that za > Pa and the Hoeffding inequality (flT 
Specifically, in our case, Lemma [21 fpage 1141) applies with X; = ej. Then, it is 
easy to see that fii = for all i and bj — otj = 1, so P(e < npA + nt \ A) < e ~ 2nt . 
By setting r = npA + Ht, we obtain t = (r — np^) / n, which we can plug into the 
above inequality, thus arriving at the required result. The user case, V = U, is 
handled similarly and we conclude that E(X | U) < nl B + e^i^ npu ~ T ^ £u. □ 

Having bounded the loss suffered when choosing a specific threshold, we now 
choose a threshold f * that minimises the above bound for fixed n. In fact, we 
can show that such a threshold results in a particular loss bound. 

Theorem 1. Let p = Ia/^u an d select 

-» a n(p A +Pu) Inp 



2 4A 

If n Pu l£ t < npA, then the expected loss EL is bounded by: 



(6) 



E(L\n,f*)<C 1 (n)^ne B + e-^ A ■ y/ljj^j. (7) 
with A = pa — Pu ■ 

Proof. Substitute © in the first exponential of to obtain: 

e -%(n PU -t*r £u = exp (_| A2 + 1 lnp _ J^ji + ^ £u 



e ^a^V£^4 



It is easy to see that the exact same result is obtained by substituting © in the 
second exponential of ([5]). Thus, both E(X | A) and E(X | U) are bounded by 
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the same quantity and consequently, so is max{E(X | A),E(L | [/)}. Thus, 



£(n, f£) < ni B + exp (-| A 2 ) • cxp f-g^J ■ 

1 2 

where we simplified the bound by noting that 8 " A P ^ > 0. □ 

The intuition behind the algorithm and the analysis is that it is possible 
to bound the probability that A makes less errors than expected, or that U 
makes more than expected. For this reason, the f* chosen in the theorem must 
lie between npu and npA- This also implies a lower bound on the number of 
rounds n. 



3.2 Choice of the number of rounds 

Using similar techniques to those employed for obtaining a suitable value for 
the threshold, we now indicate a good choice for the number of rounds n and 
provide a matching bound on the expected loss. 

Theorem 2. Assume IaAu^b > 0. If we choose t = f* and 



a VI + 2CK — 1 

c ' ® 



where C = A and K = \/£a£u /^B> then the expected loss ML is bounded by: 



E(L\T*,h*)<C 2 ^y/mC-£B = V By T ■ (9) 



Proof. We shall bound each one of the summands of ([7]) by y/2K/C ■ l B - For 
the first term we have: 



V1 + 2CK-1. VT+2CK. 
n£ B = ^ Zb < Ib 



V2CK „ 2K n 

< — IB = ^-lB. 

For the second term, by noting that e x > 1 + x, we have: 



_n A 2 V£UFa~ _ K£ B _ 2Kl B 2K£ B 2Kh 



^^' e2A -l + fA2 i + nc = 2 + nC 1 + VT+2CK 

< 2ifl B < 2glg = f2K £ 
~ VI + 2CK ~ V2CK V C B ' 
Summing the two bounds, we obtain the required result. □ 

This theorem proves that our worst-case expected loss L grows sublinearly 
both with increasing round cost (with rate 0(e 1 ^ 2 )) and with increasing authen- 
tication costs (with rate 0(e 1 / 4 )). Furthermore, the expected loss is bounded 
symmetrically for both user and attacker access. Finally, there is a strong de- 
pendence on the margin A between the attacker and the user error rates, which 
is an expected result. 



7 



4 Analysis of RFID thresholded protocols 



Currently, the only known protocols employing an authentication phase without 
any error correction that we are aware of are RFID distance bounding protocols. 
For that reason, we shall examine the properties of two such protocols, for which 
it is possible to derive expressions for pa,Pu given a symmetric channel noise 

LO. 

The Swiss-Knife protocol [TU] and the variant Hitomi [TJ] are thresholded 
authentication protocols satisfying Definition [1] It is easy to show (for details 
see [12]) that, for those two protocols, under channel noise ui, the expected error 
bounds pa,Pu are given by: pa = Pu — 2lu, where we note in passing that 
PA > Pu and so w < | . Finally, by substituting A = pa~ Pu — 1 ~2^ m © > we 
obtain the following bound for Swiss-Knife and Hitomi: 



EL<ne B + e i — • y/£ A £u, (10) 

We have performed a number of experiments to test the efficacy of these 
protocols, when used in conjunction with our suggested, as well as the optimal 
values of the threshold and number of rounds. In all of the experiments shown 
here, we chose the following values for the losses: £a = 10, £u = 1, @b = 10~ 2 . 



Figure 1(a) depicts the bound (|10[) on the expected loss, as well as the actual 
E L calculated via the binomial formula, when the threshold f. * , calculated from 
(0, is used. We plot both the expected loss and the bound for two different 
channel noise levels cj G {l0 _1 ,10~ 2 }, where the number of rounds n varies 
from 1 to 256. Obviously, the bound is greater than the actual expected loss, 
while it approaches it exponentially fast as n increases. In addition, the losses 
are higher when the amount of noise increases. 

Furthermore, we can see that there are minimising values of n for all cases. 
While they do not coincide for the bound and the actual expected loss, they 
are within a factor of two of each other. Finally, h* , the value of n minimising 
the bound, is always greater than n* = argmin n max-pg^^ E(L | V,n), the 
value of n that minimises the worst-case expected loss. Since the probability of 
incorrect authentication always decreases with increasing n, this implies that 
any additional losses incurred by using h* is due to transmission costs only. 



Figure 1(b) examines the effect of noise in more detail. In particular, it de- 
picts the worst-case expected loss for the optimal number of rounds n* , denoted 
by E(L | n*) in the legend. This is of course smaller than E(£ | h*), the loss 
suffered by choosing h* , with the gap becoming smaller for larger error rates. 
Since when this occurs, the expected loss is very close to C\, this implies that 
the bound of the Theorem 1 needs considerable tightening for small uj. Finally, 
£2 is considerably looser, and thus it is only of theoretical interest. 

Finally, due to the way that the protocols under consideration generate 
challenges and responses, the number of rounds n must be smaller than the 
length k of the messages in the initialization phase and also the length of the key 
x. Thus, in practice we will always select a number of rounds n = min{n*, k}. 
This condition is necessary since the responses r for both protocols are calculated 
using an XOR operation between the secret key x and a constant value (i.e. 
either a or (3) that has the same length k. Since these protocols are only used 
as examples, it is beyond the scope of this paper to propose protocols that do 
not suffer from this limitation. 
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5 Estimating uj 



In this section, we discuss how it is possible to calculate the channel error rate 
to. which is used in the expressions for pa,Pu- This can be done by leveraging 
the coding performed during the initial and final phases of the protocol. We 
assume some coding function $ : X rn — > X k , with k > m, and a metric 7 on X 
(where usually X = {0, 1} and 7 is the Hamming distance) such that: 

7mi„ = MHx),$(y)) :x,ye X m ,x + y} (11) 

is the minimum (Hamming) distance between valid codewords. For a given 
x € X m , the source transmits cf> = &(x) and the sink receives (f>, with (/),(/)£ X n . 
As before, we assume that the physical channel has a symmetric error rate 
ui = F((pi ^ cf>i), where <pi denotes the i-th bit of <fi. This is then decoded as 

x = argmin |7(</>, &(y)) ■ y £ A" m |. Let 9 be the number of errors in the string 

<f>, or more precisely 9 — Let 9 = 7($(x), </>) be the distance between 

the closest valid codeword <&(£) and the received (f>. If 9 < (7 m ; n — l)/2, then 
9 = 9. 

The crux of our method for estimating uj relics on the number of errors 9 
being less than (7 m ; n — l)/2, in which case, the estimated number of errors 9 
will equal 9. Let uj = ^ be our empirical error rate. In that case, the expected 
empirical error rate equals the true error rate. More formally: 

E(^|0<(7mi„-l)/2)=w. (12) 

If 9 > (7 m i n — l)/2 then the protocol fails in any case, due to decoding errors 
in the initial or final phases. If not, then the above equation holds and we can 
obtain high probability bounds for uj via the Hoeffding inequality (Appendix, 
Lemma[5|). In particular, it is easy to show that, for any S £ [0, 1]: 

p(|a-«l>V^)^. ( 13 ) 

by substituting the square-root term into (|19l) . and setting /ii = uj, Xi = 9, 
(H = 0, hi = 1. Consequently, for the Swiss-Knife family of protocols the 
following values for pa and pjj hold with probability 1 — 5: 

l + uj /In 2/6 n „ / 2 In 2/5 

While we were unable to provide bounds on the performance of this choice, 
experimental investigations presented in the next section indicate that it has 
good performance. 

5.1 Evaluation Experiments 

We have performed some experiments to evaluate our methods in a more realistic 
setting, involving an RFID distance bounding protocol with a rapid-bit exchange 
phase. We perform simulations for two cases: Firstly, when a legitimate user 
U is trying to get authenticated and secondly, when an adversary A is trying 
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to perform a mafia fraud attack. We have estimated the worst-case expected 
loss by running 10 4 experiments for each case, obtaining a pair of estimates 
E(L | A), E(L | U) by averaging the loss L, as defined in ([1]), incurred in each 
experiment and taking the maximum of the two. In all of the experiments shown 
in this section, we chose the following values for the losses: Ia = 10, Ijj = 1, 
£b = 10~ 2 , while we used k — 2 10 for the coded messages in the initialisation 
phase. 

The actual values pa,Pu depend on u>, which is unknown. We compare three 
methods for choosing pa,Pu- Firstly, guessing a value uj for the channel noise. 
Secondly, using the maximum likelihood noise estimate uj = 8/k. In both cases, 
we simply use w as described at the beginning of Sec. [4] to obtain pa,Pu- In the 
third case, we use the high-probability bounds (|14[) for pa,PUi with an arbitrary 
value of 8. 

In the first experiment, we use the nearly-optimal threshold and number 
of rounds that we have derived in our analysis. In the second experiment, wc 
replace our choice of threshold with a choice similar to that of Baigneres et al. [1] . 
Their threshold is derived via the likelihood ratio test, which is asymptotically 
optimal (c.f. HE]) 

n In \~ Vu 

t=—, i=£4 (15) 

In - In ^ K ' 

1—pA PA 

Since in our case we have unequal losses £a and lu, we re-derive their threshold 
via a Bayesian test (to which a Bayesian formulation of the Neymann-Pearson 
lemma [B; applies) to obtain: 

n In \~ Pu — In p 

= 1-PA ^ (lg) 

l— Pa Pa 

Interestingly, for small A, the form of f is similar to f*: Let p such that pa — 
p + A/2 and pu — p — A/2. Then (TIB]) can be approximated by: 

- P( X ~ g) i h7 > 
t* = np — inp (17) 

More details on the derivation of (|16l) are given in Appendix IA. 21 

Figure [2] depicts the worst-case expected loss L as a function of the actual 



noise uj. Figure 2(a) shows L using the threshold r derived from our expected loss 
analysis ([6]), while in Figure [2(b) | we use the asymptotically optimal threshold 
of (fTo| . In both cases, we plot L, while the actual noise uj is changing, for a 
number of different cases. Initially, we investigate the evolution of L for three 
arbitrarily chosen values uj € {10" 1 , 10~ 2 , 1CP 3 }. Additionally, we examine the 
evolution of the worst-case expected loss, when the noise is empirically estimated 
uj = 6/n and finally when pa and pjj are calculated via equation (|14l) with 

s e {rcr\Kr 2 }. 



As it can be seen in Figure^ in all cases (using ours Figure 2(a) or Baigneres 



et al. [T] threshold Figure 2(b) I the worst-case expected loss is very low for small 
values of the actual noise and increases sharply when the actual noise exceeds 
the value of 10" 1 . It is interesting to see that when we use the optimisti<jf| high 



4 Experiments with pessimistic high probability estimates for the noise showed a significant 
increase in the number of rounds used, which resulted in a higher expected loss. 
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probability estimates for pa,Pu> we obtain almost always better performance 
than simply guessing the noise, or using the plain empirical estimate Co directly. 
Furthermore, using the asymptotically optimal threshold (1161) . we observe a 
deterioration in the results. 

As mentioned in the related work (Sec. the choice of the threshold by 
Baigneres et al. PQ is only asymptotically optimal. Ours, while not optimal, 
gives a worst-case expected loss guarantee for any finite sample size. Thus, it 
has better performance when the asymptotic approximation is not sufficiently 
good, which occurs when both the number of rounds n and the gap A are small. 

Finally, note that in the Swiss-Knife and Hitomi protocols, the size of 
the initialisation messages is fixed, since the number of rounds n is fixed. In 
practice, one would have to modify these protocols in order for them to work 
with an arbitrary number of rounds, but this subject is beyond the scope of this 
paper. Our focus is mainly the expected loss analysis of the noisy authentication 
phase. 

6 Conclusion 

We have performed an expected loss analysis for thresholded authentication pro- 
tocols under noise. This is particularly significant for areas of communications 
where challenges and responses are costly and where there exists significant un- 
certainty about the correctness of any single response. More precisely, we have 
shown how to select a threshold and provided an upper bound on the worst-case 
expected loss. Additionally, we have shown how to select the number of rounds 
in order to tighten the loss and obtained a loss bound that holds uniformly 
and depends only on the error rates of the user and attacker and the individual 
losses. We have applied these choices of threshold and number of rounds to two 
representative distance bounding protocols, the Swiss-Knife and the Hitomi. 
In addition, we have presented a high-probability method for estimating the 
channel noise for such protocols. We have examined its performance in further 
simulation experiments with unknown channel noise, and shown that we obtain 
uniformly superior results to guessing or direct empirical noise estimates. Fi- 
nally, we repeated those experiments with a asymptotically optimal threshold 
similar to that used by Baigneres et al. Q]. Our results indicate a significant 
improvement through the use of a threshold with uniform, rather than asymp- 
totic, guarantees. Consequently, it is our view that algorithms motivated by 
an asymptotic analysis should be avoided in the finite-sample regime of most 
challenge-response authentication protocols. 
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Figure 2: The worst-case expected loss as a function of noise. We plot the 
evolution of the loss as noise changes, for a number of different cases. Firstly, 
for the case where we arbitrarily assume a noise value lu g {10 _1 , 10~ 2 , 10 -3 }. 
Secondly, for an empirically estimated Co = k/n, and finally for pa,Pu calculated 
via equation with S G {10 _1 , 1CT 2 }. 
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A Auxilliary results 
A.l Useful formulas 

If X\, . . . , X n are Bernoulli random variables with Xk £ {0, 1} and P(Xk = 1) = 
/i for all k, then 

\fe=l / k=0 ^ ' 

This probability can be bounded via Hoeffding 'a inequality [5] : 

Lemma 2 (Hoeffding). For independent random variables X\, . . . , X n such that 
Xi € [a,i, bi], with [ii = EXj and t > 0: 



^Xi>^2iM + nt\ =F(j2x i <J2t M -nt \ < exp 

V.»=l »=1 / \i=l i=l / 



2n 2 f 



2-i2 



Er=i(^-«i) 2 

(19) 



A. 2 On asymptotic thresholds 

One way to obtain an asymptotically optimal threshold is to employ a Bayesian 
hypothesis test [B]. This requires defining a prior probabilty on the possible 
hypotheses. In our case, the hypothesis set is H = {A, U}, on which we define a 
prior probability n. For {0, 1} errors, the probability of observing e errors out of 
n observations is given by P(e | A) and P(e | U) for the attacker and user respec- 
tively and it follows a binomial distribution with parameters pa,Pu respectively. 
Given an observed error x, the posterior probability of any hypothesis h G H is: 

w(h\e = x)= ne = *\h).{h) 



We then define a decision set G = {gA,gu,9<t>}, where gA means we decide that 
the prover is an attacker and gu means we decide that the prover is a user and g% 
means that we are undecided. Finally, we define a loss function L : G x H — » R, 
such that L(g, h) is our loss when we decide g and h is the correct hypothesis. 
The expected loss of decision g £ G, under our prior and given e errors out of 
n is: 

E W (L | £,</) = J2 L (9,hMh\e), 

heH 

where denotes expectation with respect to the prior tt. Now define the 
decision function q : {0, 1, . . . , n) G: 

q ^ a 19U, if E T (L | e, g v ) < E W (L | e, g A ) ^ 
\g A , if Eir(L | e,gu) > E V (L \ s,g A ). 

This decision function minimises E w L by construction (c.f. [5J ch. 8). The 
following remark is applicable in our case: 
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Remark 1. Assume i.i.d errors with Si G {0, 1} 7 so that we can use a binomial 
probability for P(e | h). Set the loss function L to be L(gu, A) — i A , L(g A , U) = 
i\j and otherwise. Then the decision function (f2U)) becomes equivalent to: 



where 



9u, ife<n 
9 A, ifs>Tb, 



Tb ~ In \=ZL - In 2^ 
l— Pa Pa 

Proof. We start by calculating the expected loss for either decision. First: 

I = I e) = 7riA)n£lA) + 7r{u)n£lu y 

due to our choice of L and 7r. Similarly, 

e A 7r(A)P(e | A) 



E W (L | e, gu )=e A ir(A | e) 



tt(A)P(£ I A) + n(U) P(e | [/)' 



Combining the above expressions, the decision function (|20|) can then be written 
so that we make decision gu if and only if: 

£ A Tr(A)F(e | A) < £uTr(U)P(e \ U). 

Finally, replacing (|18p with means pa,Pu respectively and taking logarithms we 
obtain: 

ln[p7r(A)/7r([/)l + e ln E± < ( n _ e ) m Iz££ 
Pc/ 1 - PA 

as a condition for deciding gu. With some elementary manipulations, we arrive 
at the required result. □ 

Given the conditions of the previous remark, it is easy to see (c.f. jHj ch. 8) 
that the decision function q minimises the Bayes risk: 

E^L | q) = tt(A) P(e < n \ A)i v + tt(U) P(e > n \ U)l A . (21) 

Furthermore, for n(A) = n(U) = 1/2, we obtain (fTB|) . In addition, this choice 
also minimises an upper bound on the worst-case expected loss since: 

maxE(L | h,q) < E(L \h,q) = 2E 7r (i | q). 
heH 

for uniform n. 

Finally, the asymptotic optimality of Bayesian testing generally follows from 
Bayesian consistency (c.f. [5] ch. 10). More specifically, [5] has proved the 
asymptotic optimality of Bayes solutions for hypothesis testing of the type ex- 
amined here. 
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